Is there? I want to know what kind of stuff they are storing on my computer so I can know if i should do anything about it.

Ever since Mv3 came into enforcement I've been using a local DNS blocklist in /etc/hosts (UHB more specifically) for locking the browser down as much as possible. Unfortunately this has lead to some major issues when browsing, i.e. 5-10 second latency for every single request that goes through the browser. Can't completely stop using some Chromium-browser since I need to test my work on the browser at some point.

I'm suspecting it's due to the browser waiting for some telemetry endpoint, or trying to get around the block through some other means (which won't work since outgoing DNS via anything else but the gateway is blocked in the firewall), and giving up after a specified time. At this point I've narrowed the issue down to the full version of UHB, as when toggling this off the requests no longer hang before going through. Firefox doesn't suffer from the same issues – every Chromium-derived platform suffers, though, including Electron applications like VSCode. Toggling async DNS off hasn't helped (which previously supposedly has helped some), neither has turning secure DNS (read Google's system DNS sinkhole workaround) off.

Out of curiosity, has anyone else encountered the same issue or is using a version of Chromium that's not suffering from the same issues? This is getting a bit infuriating, and though I've already moved my browsing on Firefox, it's still bothersome to run e.g. UI tests when every fetch operation takes 10 s. This even happens when connecting to stuff running on localhost or LAN addresses.

Hi guys as title suggests I have a pi 4b 4gb and basically I want to connect it to my isp provided router (wired connection via a lan cable) and run an openvpn config on it and then connect it to an access point that i already have (this one is wired too via a usb to RJ45 adapter and lan cable). I know that I need to flash openwrt image on an sdcard and install it on pi4 but I don't know how to configure openwrt after that and honestly the guides on the forums and internet are a little confusing (I'm not that tech savy) also I read that not all usb to RJ45 adapters work with openwrt on pi4 but I don't know which one to buy. can anyone show me a fool proof guide or tell me what I need to do? Edit: thank you all amazing people for your input I found a Google wifi mesh solution second hand (ac-1304 model) that is supported by OpenWRT latest firmware for a good price and I went with that. Gonna find a proper use case for my Raspberry Pi in the future for now gonna keep it as a tinkering device.

Hi, Im thinking about moving from gmail elsewhere but Im wondering if I should use my own domain for it, I dont have the domain yet but how to deal with whois lookup privacy? (Im EU based) are there any other issues I may run into if I chose my own domain over opening a account on posteo.de or mailbox.org with their domain. I know owning my domain will give me freedom to move my email elsewhere if I would want but I dont know if its worth it.

First things first, I've updated my LI account with a new e-mail and 2FA and now my account is "Temporarily restricted". LinkedIn require me to send them either my ID card (no way) or my legal information certified by a lawyer in my country (no way). The ID seems to be "verified" (they are nothing to compare against) by Persona, a third-party that is located in US.

I kindly asked by mail to delete my account (as outlined in Article 17 of the GDPR) using a webcall or a short video with me talkie-talking about how I would like to recover my account. "Kindly asked" whether they prefer me to bring the matter to the court (Article 77 of the GDPR). Gonna see what they reply.

Anybody who went through this? Any success? Any arguments that seemed to work on the support?

Following video of thelinuxexperiment and all the news against mozilla.
I finally switched to librewolf completely.
I exported and imported all kind of data too.

But I want to use ffsync only to keep my mobile (android) in sync with my pc (want to sync history also so flocuss etc will not work)
So I want to enable ffsync in librewolf

I have seen faq but as mozilla recently introduced their terms of usage (and all the hate against it)
Is it still private enough to use ffsync? what can be downsides?

cross-posted from: https://europe.pub/post/9311

In case you ever wanted to blur your house from google street view you can. A little privacy i suppose, its pretty easy. you dont need a reason to do it. This probaly the only thing google lets opt out of which is cool.

Originally posted on Reddit

I've been looking to switch from gmail to a different email provider that's more private. I've been hearing about Tuta, are there any drawbacks to it? Are there better options?

For a while I was planning on making the switch to protonmail but that's off the table now due to the recent events surrounding them.

So invidious isn’t working well at the moment, neither is piped. So I’m wondering what the best options are to watch YouTube right now?

I am looking for a wifi mesh system to improve the coverage in my home. I looked around and found a cheap solution with decent reviews, the Halo 50G by Mercusys (TP Link). I am not a fan of super cheap, super easy to use "magical" solutions, and within minutes of connecting just the access point I was seeing calls to the likes of google, facebook, amazon, etc in my network coming from the device. Not ideal.

I also found that Ubiquiti and Netgear may be the best options out there, but the prices I found are north of 600€ and I can not afford to pay that much right now.

So, my question is: Is there any wifi mesh system that is not using my network against me and does not empty my wallet? I am based in Europe and would like something under 200€ if possible, and ready to buy from the shelf.

Thank you for reading and for any recommendation.

I bought a Garmin Forerunner 255 watch that I want to use only with Gadgetbridge. There is an old software version on the watch and I want to update it and I don't want to connect it with Garmin Connect or Garmin Express app?

I have looked for the possibility to do an “offline” update but have not found it. Maybe the community will help?

And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

1. using Tor Browser
2. disabling javascript
3. keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

Update: I just noticed that based on this comment, the flatpak was only verified by Tor Project after this particular issue had been fixed. So perhaps I should have waited before installing the flatpak. Sigh...

I'm making this post to share some interesting less talked about things about privacy, security, and other related topics. This post has no direct goal, it's just an interesting thing to read. Anyways, here we go:

I made a post about secureblue, which is a Linux distro* (I'll talk about the technicality later) designed to be as secure as possible without compromising too much usability. I really like the developers, they're one of the nicest, most responsible developers I've seen. I make a lot of bug reports on a wide variety of projects, so they deserve the recognition.

Anyways, secureblue is a lesser known distro* with a growing community. It's a good contrast to the more well known alternative** Qubes OS, which is not very user friendly at all.

* Neither secureblue, nor Qubes OS are "distros" in the classical sense. secureblue modifies and hardens various Fedora Atomic images. Qubes OS is not a distro either, as they state themselves. It's based on the Xen Hypervisor, and virtualizes different Linux distros on their own.

** Qubes OS and secureblue aren't exactly comparable. They have different goals and deal with security in different ways, just as no threat model can be compared as "better" than any other one. This all is without mentioning secureblue can be run inside of Qubes OS, which is a whole other ballpark.

secureblue has the goal of being the most secure option "for those whose first priority is using Linux, and second priority is security." secureblue "does not claim to be the most secure option available on the desktop." (See here) Many people in my post were confused about that sentence and wondered what the most secure option for desktop is. Qubes OS is one option, however the secureblue team likely had a different option in mind when they wrote that sentence: Android.

secureblue quotes Madaiden's Insecurities on some places of their website. Madaiden's Insecurities holds the view that Linux is fundamentally insecure and praises Android as a much better option. It's a hard pill to swallow, but Madaiden's Insecurities does make valid criticisms about Linux.

However, Madaiden's Insecurities makes no mention of secureblue. Why is that? As it turns out, Madaiden's Insecurities has not been updated in over 3 years. It is still a credible source for some occasions, but some recommendations are outdated.

Many people are strictly anti-Google because of Google's extreme history of privacy violations, however those people end up harming a lot of places of security in the process. The reality is, while Google is terrible with privacy, Google is fantastic with security. As such, many projects such as GrapheneOS use Google-made devices for the operating system. GrapheneOS explains their choice, and makes an important note that it would be willing to support other devices as long as it met their security standards. Currently only Google Pixels do.

For those unfamiliar, GrapheneOS is an open source privacy and security focused custom Android distribution. The Android Open Source Project (AOSP) is an open source project developed by Google. Like the Linux kernel, it provides an open source base for Android, which allows developers to make their own custom distributions of it. GrapheneOS is one such distribution, which "DeGoogles" the device, removing the invasive Google elements of the operating system.

Some Google elements, such as Google Play Services can be optionally installed onto the device in a non-privileged way (see here and here). People may be concerned that Google Pixels can still spy on them at a hardware level even with GrapheneOS installed, but that isn't the case.

With that introduction of secure Android out of the way, let's talk about desktop Android. Android has had a hidden option for Desktop Mode for years now. It's gotten much better since it was first introduced, and with the recent release of Android 15 QPR2, Android has been given a native terminal application that virtualizes Linux distros on the device. GrapheneOS is making vast improvements to the terminal app, and there are many improvements to come.

GrapheneOS will also try to support an upcoming Pixel Laptop from Google, which will run full Android on the desktop. All of these combined means that Android is one of, if not the, most secure option for desktop. Although less usable than some more matured desktop operating systems, it is becoming more and more integrated.

By the way, if you didn't know, Android is based on Linux. It uses the Linux kernel as a base, and builds on top of it. Calling Qubes OS a distro would be like calling Android and Chrome OS distros as well. Just an interesting fact.

So, if Android (or more specifically GrapheneOS) is the most secure option for desktop, what does that mean in the future? If the terminal app is able to virtualize Linux distros, secureblue could be run inside of GrapheneOS. GrapheneOS may start to become a better version of Qubes OS, in some respects, especially with the upcoming App Communication Scopes feature, which further sandboxes apps.

However, there is one bump in the road, which is the potential for Google to be broken up. If that happens, it might put GrapheneOS and a lot of security into a weird place. There might be consequences such as Pixels not being as secure or not supporting alternative Android distributions. Android may suffer some slowdowns or halts in development, possibly putting more work on custom Android distribution maintainers. However, some good may come from it as well. Android may become more open source and less Google invasive. It's going to be interesting to see what happens.

Speaking of Google being broken up, what will happen to Chrome? I largely don't care about what happens to Chrome, but instead what happens to Chromium. Like AOSP, Chromium is an open source browser base developed by Google. Many browsers are based on Chromium, including Brave Browser and Vanadium.

Vanadium is a hardened version of Chromium developed by GrapheneOS. Like what GrapheneOS does to Android, Vanadium removes invasive Google elements from the browser and adds some privacy and security fixes. Many users who run browser fingerprinting tests on Vanadium report it having a nearly unique fingerprint. Vanadium does actually include fingerprint protections (see here and here), but not enough users use it for it to be as noticeable as the Tor Browser. "Vanadium will appear the same as any other Vanadium on the same device model, and we don't support a lot of device models." (see here)

There's currently a battle in the browser space between a few different groups, so mentioning any browser is sure to get you involved in a slap fight. The fights usually arise between these groups:

• The group that is strictly anti-Google and uses Firefox-based browsers
• The security focused group that recognizes that Firefox is insecure and opts for privacy enhanced versions of Chromium
• The political group that only care about the politics behind an organization rather than the code itself (examples: Firefox Terms of Use update, Brave Browser including a crypto wallet)

For that last one, I would like to mention that Firefox rewrote the terms after backlash, and users have the ability to disable bloatware in Brave. Since Brave is open source, it is entirely possible for someone to make a fork of it that removes unwanted elements by default, since Brave is another recommended browser by the GrapheneOS team for security reasons.

Another interesting Chromium-based browser to look at is secureblue's Trivalent, which was inspired by Vanadium. It's a good option for users that use Linux instead of Android as a desktop.

Also, about crypto, why is there a negativity around it? The reason is largely due to its use in crime, use in scams, and use in investing. However, not all cryptocurrencies are automatically bad. The original purpose behind cryptocurrency was to solve a very interesting problem.

There are some cryptocurrencies with legitimate uses, such as Monero, which is a cryptocurrency designed to be completely anonymous. Whether or not you invest in it is your own business, and unrelated to the topics of this post. Bitcoin themselves even admit that Bitcoin is not anonymous, so there is a need for Monero if you want fully decentralized, anonymous digital transactions.

On the topic of fully decentralized and anonymous things, what about secure messaging apps? Most people, even GrapheneOS and CISA, are quick to recommend Signal as the gold standard. However, another messenger comes up in discussion (and my personal favorite), which is SimpleX Chat.

SimpleX Chat is recommended by GrapheneOS occasionally, as well as other credible places. This spreadsheet is my all time favorite one comparing different messengers, and SimpleX Chat is the only one that gets full marks. Signal is a close second, but it isn't decentralized and it requires a phone number.

Anyways, if you do use Signal on Android, be sure to check out Molly, which is a client (fork) of Signal for Android with lots of hardening and improvements. It is also available to install from Accrescent.

Accrescent is an open source app store for Android focused on privacy and security. It is one of the default app stores available to install directly on GrapheneOS. It plans to be an alternative to the Google Play Store, which means it will support installing proprietary apps. Accrescent is currently in early stages of development, so there are only a handful of apps on there, but once a few issues are fixed you will find that a lot of familiar apps will support it quickly.

Many people have high hopes for Accrescent, and for good reason. Other app stores like F-Droid are insecure, which pose risks such as supply chain attacks. Accrescent is hoped to be (and currently is) one of the most secure app stores for Android.

The only other secure app store recommended by GrapheneOS is the Google Play Store. However, using it can harm user privacy, as it is a Google service like any other. You also need an account to use it.

Users of GrapheneOS recommend making an anonymous Google account by creating it using fake information from a non-suspicious (i.e. not a VPN or Tor) IP address such as a coffee shop, and always use a VPN afterwards. A lot of people aren't satisfied with that response, since the account is still a unique identifier for your device. This leads to another slap fight about Aurora Store, which allows you to (less securely) install Play Store apps using a randomly given Google account.

The difference between the Play Store approach and the Aurora Store approach is that Aurora Store's approach is k-anonymous, rather than... "normal" anonymity. The preference largely comes down to threat models, but if you value security then Aurora Store is not a good option.

Another criticism of the Play Store is that it is proprietary. The view of security between open source software and proprietary software has shifted significantly. It used to be that people viewed open source software as less secure because the source code is openly available. While technically it's easier to craft an attack for a known exploit if the source code is available, that doesn't make the software itself any less secure.

The view was then shifted to open source software being more secure, because anyone can audit the code and spot vulnerabilities. Sometimes this can help, and many vulnerabilities have been spotted and fixed faster due to the software being open source, but it isn't always the case. Rarely do you see general people looking over every line of code for vulnerabilities.

The reality is that, just because something is open source, doesn't mean it is automatically more or less secure than if it were proprietary. Being open source simply provides integrity in the project (since the developers make it as easy as possible to spot misconduct), and full accountability towards the developers when something goes wrong. Being open source is obviously better than being proprietary, that's why many projects choose to be open source, but it doesn't have to be that way for it to still be secure.

Plus, the workings of proprietary code can technically be viewed, since some code can be decompiled, reverse engineered, or simply read as assembly instructions, but all of those are difficult, time consuming, and might get you sued, so it's rare to see it happen.

I'm not advocating for the use of proprietary software, but I am advocating for less hate regarding proprietary software. Among other things, proprietary software has some security benefits in things like drivers, which is why projects like linux-libre and Libreboot are worse for security than their counterparts (see coreboot).

Those projects still have uses, especially if you value software freedom over security, but for security alone they aren't as recommended.

Disclaimer before this next section: I don't know the difference in terminology between "Atomic", "Immutable", and "Rolling Release", so forgive me for that.

Also, on the topic of software freedom, stop using Debian. Debian is outdated and insecure, and I would argue less stable too. Having used a distro with an Atomic release cycle, I have experienced far less issues than when I used Debian. Not to mention, if you mess anything up on an Atomic distro, you can just rollback to the previous boot like nothing happened, and still keep all your data. That saved me when I almost bricked my computer motifying /etc/fstab/ by hand.

Since fixes are pushed out every day, and all software is kept as up to date as possible, Atomic distros I argue give more stability than having an outdated "tried and tested" system. This is more an opinion rather than factually measured.

Once I realized the stable version of Debian uses Linux kernel 6.1, (which is 3 years old and has had actively exploited vulnerabilities), and the latest stable version of the kernel is 6.13, I switched pretty quick for that reason among others.

Now, many old kernel versions are still maintained, and the latest stable version of Android uses kernels 6.1 and 6.6 (which are still maintained), but it's still not great to use older kernel versions regardless. It isn't the only insecurity about Debian.

I really have nothing more to say. I know I touched on a lot of extremely controversial topics, but I'm sick of privacy being at odds with security, as well as other groups being at odds with each other. This post is sort of a collection of a lot of interesting privacy and security knowledge I've accrued throughout my life, and I wanted to share my perspective. I don't expect everybody to agree with me, but I'm sharing this in case it ever becomes useful to someone else.

Thanks for taking the time to read this whole thing, if you did. I spent hours writing it, so I'm sure it's gotten very long by now.

Happy Pi Day everyone!

Not that I’ve ever wanted a voice assistant, but this shoots it in the head for me.

Due to the giant GOPstrich in the room. I have switched to linux and been actively trying to learn as much computer science as possible. I set up a TOR relay using Librewolf as the browser, using socks5 to send data from the browser, through the network. As an experiment, I asked Microsoft's AI where I was and it immediately returned my city. I tried again using a VPN, with a different browser and it still got it right. So, I wanted to ask, how can we limit the telemetry collected by these programs? How can we better limit their ability to spy on us?

cross-posted from: https://programming.dev/post/26910708

My small company (less than 30 employees) has been using Skype for internal group meetings and messaging. Since it's closing, we're looking for alternatives.

I think few people in the company are privacy minded (one of the higher ups had to get scolded to stop using some random AI to listen to all his meetings and write summaries), so we need something with a low barrier to entry.

We have basically no IT department, so self hosting would be a challenge. We do self host a redmine server via docker, and we have to connect to it via VPN when we're off-site (we have several full time remote employees).

Our feature requirements are: Group and individual messaging Screen sharing Meetings up to 2 hours Inexpensive Meetings with up to 10 participants Windows (some people use Skype from their phones also, but not a requirement) Minimal friction to setup and use Minimal bugs (mature)

Some of the ideas floated: Teams Discord Google Meet Signal Telegram Jami

I really don't think we could pull off Matrix, but am I wrong? Which of these ideas bothers you the least? Is there something else I'm overlooking?

Someone made a compilation of academic reviews and blogposts here: https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243 but none of them seem to be real security audit reports, ex. compare with real security audits to Delta Chat: https://delta.chat/en/help#security-audits

I feel like this might be something that people here have insight on because VPNs seem to trigger Captchas a lot. What can I do to bypass them on desktop and android?